Traefik Enterprise and Cloudflare 101 | Traefik Labs

Traefik Enterprise is a unified cloud native networking solution that eases microservices networking complexity.

And what better way to ease the complexity of networking other than taking care of the undeniably tedious task that is managing HTTPS certificates.

In this 101 guide, I will show you how to install the latest version of Traefik Enterprise and how to configure a provider. With my configuration, your Traefik Enterprise automatically will get Let's Encrypt certificates and all certificate requests are validated against Cloudflare DNS.

You can find all the files for Traefik Enterprise on GitHub.

Prerequisites

To follow through with this guide, you need to have the following:

  • Kubernetes Cluster
  • Traefik Enterprise License Key
  • Cloudflare Account

Now that you have everything set up, let's get started!

Configuration

Since version 2.3.0 of Traefik Enterprise, you are able to install it without any additional tool. You can now deploy Traefik Enterprise with Argo CD or some other Continuous Delivery tool.

But first, you need to prepare all the Kubernetes objects.

Namespace

Create a new namespace for your installation with the CLI.

kubectl create namespace traefikee

Or with a file:

---
apiVersion: v1
kind: Namespace
metadata:
  name: traefikee

Secret (license)

Add the license as a secret from kubectl. For this example, I am using the Traefik Enterprise license.

kubectl create secret generic traefik-enterprise-license --from-literal=license=EXAMPLE-LICENSE -n traefikee

Or with a file:

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: traefik-enterprise-license
  namespace: traefikee
stringData:
  license: EXAMPLE-LICENSE

Static Configuration

Create a ConfigMap with the static configuration.

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: traefikee
  name: traefik-enterprise-static-config
data: 
  static.yaml: | 
    entryPoints:
      web:
        address: ":80"
        http:
          redirections:
            entryPoint:
              to: websecure
              scheme: https
              permanent: true
      websecure:
        address: ":443"
api:
  dashboard: true
 
providers:
  kubernetescrd: {}
  kubernetesingress: {}
  
certificatesResolvers:
  cloudflare:
    acme:
      email: example@mail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1"

You can copy this example in your editor and modify it as you like. Make sure to change the example email address used here.

Manifest

With a simple Curl call, you can get your YAML manifest to deploy all Traefik Enterprise components.

Here's an example of the latest version of Traefik Enterprise:

curl -L -k "https://install.enterprise.traefik.io/v2.6?cluster=traefik-enterprise&namespace=traefikee" -o traefik-enterprise-manifest.yaml

Add environment variables for Cloudflare

First, create a Secret with your login information for Cloudflare API.

---
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-credentials
  namespace: traefikee
type: Opaque
stringData:
  email: YOUR_CLOUDFLARE_EMAIL
  apiKey: YOUR_API_TOKEN

Edit the Traefik Enterprise manifest and add the environment variables to the traefik-enterprise-controller statefulSet, just after the license variable definition.

            - name: CF_API_EMAIL
              valueFrom:
                secretKeyRef:
                  key: email
                  name: cloudflare-api-credentials
            - name: CF_API_KEY
              valueFrom:
                secretKeyRef:
                  key: apiKey
                  name: cloudflare-api-credentials
Secure, manage, & scale all your APIs.See how Traefik Enterprise simplifies, automates, and centralizes API management and security with one easy-to-use solution.Learn More

Install Traefik Enterprise

It's finally time to install Traefik Enterprise!

Argo CD

Take all files and commit them to your Git repo. Now you are able to connect the repository with Argo CD. Create a new App and deploy Traefik Enterprise.

Kubectl

The easiest way to deploy Traefik Enterprise is with kubectl.

kubectl apply -f traefik-enterprise-ns.yaml
kubectl apply -f traefik-enterprise-license-secret.yaml
kubectl apply -f cloudflare-secret.yaml
kubectl apply -f traefik-enterprise-static-configmap.yaml
kubectl apply -f traefik-enterprise-manifest-cloudflare-env.yaml

Wait for all the Traefik Enterprise component to come up.

kubectl get po -n traefikee                              
NAME                                        READY   STATUS    RESTARTS   AGE
traefik-enterprise-controller-0             1/1     Running   0          21m
traefik-enterprise-plugin-registry-0        1/1     Running   0          22m
traefik-enterprise-proxy-598c694f9d-fdw2f   1/1     Running   0          22m
traefik-enterprise-proxy-598c694f9d-g625t   1/1     Running   3          22m

Operations

Dashboard

To add some basic security to your dashboard, create an HTTP basic auth middleware. Use the following command to create a base64 encoded htpasswd file with traefik as user and enterprise as password:

htpasswd -n -b traefik enterprise | openssl base64

Add your credentials to the secret for basic-auth:

---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-enterprise-dashboard-auth
  namespace: traefikee
data:
  users: |2
    dHJhZWZpazokYXByMSR6R2NRa0xLTCRPWDlFQkZkeVhCWjVNZ2hSVEgzYVMxCgo=

Define the basicAuth middleware to use the secret:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-enterprise-dashboard-basicauth
  namespace: traefikee
spec:
  basicAuth:
    secret: traefik-enterprise-dashboard-auth

Create an ingress route to the service api@internal to enable the dashboard. Here, make sure to change the matching host rule.

YAML
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-enterprise-dashboard
  namespace: traefikee
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`dashboard.example.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: traefik-enterprise-dashboard-basicauth
  tls:
    certResolver: cloudflare

Apply the files with kubectl:

Bash
kubectl apply -f traefik-enterprise-basicAuth-secret.yaml
kubectl apply -f traefik-enterprise-dashboard-middleware.yaml
kubectl apply -f traefik-enterprise-dashboard-igr.yaml

And done! You can now connect to the dashboard in your browser with the URL you define in the ingressRoute.

API Portal

The API Portal groups all of the API specifications from your services into a web UI. Currently, Traefik Enterprise supports OpenAPI.

Add these two lines to your static configuration, to enable API Portal.

YAML
apiportal:
  path: spec.json

Create an ingress route to the service apiportal@internal to enable the API Portal dashboard. Don't forget to change the matching host rule here as well.

YAML
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-enterprise-api
  namespace: traefikee
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`apiportal.example.com`)
      kind: Rule
      services:
        - name: apiportal@internal
          kind: TraefikService
  tls:
    certResolver: cloudflare

Note: I would recommend that you added the Basic Auth middleware to your API. Otherwise, anyone can access your API Portal web UI without any authentication.*

Traefik Enterprise now searches every service. If there is a service detected which supports the OpenAPI format and can be reached under the path /api/swagger.json, this service will be listed in the API portal.

Example spec.json

Here is an example of an OpenAPI supported service.

YAML
---
apiVersion: v1
kind: Namespace
metadata:
  name: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-httpbin
  namespace: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-httpbin
  template:
    metadata:
      labels:
        app: api-httpbin
    spec:
      containers:
        - name: whoami
          image: kennethreitz/httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: api-httpbin
  namespace: httpbin
  labels:
    app: api-httpbin
spec:
  type: ClusterIP
  ports:
    - port: 80
      name: api
  selector:
    app: api-httpbin
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: api-httpbin-tls
  namespace: httpbin
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`httpbin.example.com`)
      services:
        - name: api-httpbin
          port: 80
  tls:
    certResolver: cloudflare

Make sure to change the host values and then apply this files:

Bash
kubectl apply -f traefik-enterprise-static-configmap-apiportal.yaml
kubectl apply -f traefik-enterprise-apiportal-igr.yaml
kubectl apply -f traefik-enterprise-petstore-api.yaml

You can now check the API portal to have a look at your API.

Connect with teectl

To get things started, you need to install the teectl command-line tool.

Once your cluster is ready, generate credentials from your cluster using Traefik Enterprise. Generate the credentials on one of your controllers and use teectl to import the cluster credentials.

Bash
kubectl exec -n traefikee traefik-enterprise-controller-0 -- /traefikee generate credentials --kubernetes.kubeconfig="${KUBECONFIG}"  --cluster=traefik-enterprise > traefikee/config.yaml > config.yaml

Now you can import the cluster configuration to teectl.

Bash
teectl cluster import --file="config.yaml"

And finally, select this new cluster.

Bash
teectl cluster use --name traefik-enterprise

You can now use teectl to operate your cluster.

Conclusion

Since version 2.3.0, Traefik Enterprise deployment has been made very simple. In a few minutes, you are able to run Traefik Enterprise in our Kubernetes cluster.

I’m really happy to see how Traefik Enterprise is getting better and making your life easier! Always keep an eye on the new releases of Traefik Enterprise for more improvements and new capabilities.

Webinar: Centralize OIDC Auth at the API Gateway Level Learn why API gateways simplify authentication and how to configure and manage OpenID Connect using Traefik Enterprise.Watch the Webinar


This is a companion discussion topic for the original entry at https://traefik.io/blog/traefik-enterprise-cloudflare-101/